from the COME-DOWN-TO-DATA-KING-FOR-ALL-YOUR-USER-DATA-NEEDS-OPEN-SATURDAY dept

Facebook's new transparency report is up, and the company has released a baker's dozens of National Security Letters along with it. Thanks to the USA Freedom Act, companies finally have a way to challenge the indefinite gag orders the government attaches to its demands for user info -- a process it deploys thousands of times a year without having to run anything by a judge.

NSLs are gifts the FBI gives itself. With these self-issued pieces of paper, the agency can demand internet platforms turn over info about targeted accounts. What it can actually demand is fairly limited, although there appears to be no limit to the number of accounts the FBI can target with a single NSL. Many of the NSLs in this batch [PDF] cleared for release ask for data on multiple Facebook and Instagram users.

Only one of the released NSLs still carries the pre-Freedom Act boilerplate: the one that demands tons of info the DOJ's own internal legal guidance says the FBI can't ask for. That NSL contains a long list of things the FBI chose to consider "phone billing records" before being steered back to reality by legislation and leaked documents.

Subscriber name and related subscriber information

Account number(s)

Date the account opened or closed

Physical and or postal addresses associated with the account

Subscriber day/evening telephone numbers

Screen names or other on-line names associated with the account

All billing and method of payment related to the account including alternative billed numbers or calling cards

All e-mail addresses associated with the account to include any and all of the above information for any secondary or additional e-mail addresses and/or user names identified by you as belonging to the targeted account in this letter

The reason we're even seeing these NSLs published can be tied directly to the Snowden leaks, which led to the modification of several secretive government programs and policies with the USA Freedom Act. While these modifications may have altered how the government demands data and communications, it hasn't really slowed the government's roll. As Zack Whittaker notes for TechCrunch, the government is demanding more from Facebook more often.

The U.S. government’s demands for customer data went up by 30 percent, to 42,466 total requests, Facebook said, affecting 70,528 accounts. The company said that more than half included a non-disclosure clause that prevented the company from informing the user.

If it's data you're seeking, you go to where the data is. A platform with a billion users is a good start, especially when Instagram adds another 600 million user accounts to the mix. While it's good to see the uptick in demands is matched with an uptick in warrants and other orders that require the input of a court, the continued use of NSLs to acquire user info is concerning. These subpoenas -- issued and approved by the agency demanding user data -- more resemble fishing licenses than legal documents, which explains their continued popularity among FBI agents.

Each of the NSLs that we are publishing initially included an indefinite nondisclosure requirement that prohibited us from sharing any information about the letter or publicly acknowledging that we received an NSL.

We recently requested that these nondisclosure requirements be lifted, under the “reciprocal notice” procedures of the USA FREEDOM Act. More detail on the procedures that we followed is below.

In response to our requests, the FBI lifted the gag orders with respect to all information in each of the NSLs we are making available today. Before publishing the letters publicly, however, we decided to redact the following information from each letter: (1) the site URL about which the government requested information, (2) names of Automattic personnel to whom the request was addressed, and (3) name and contact information for the FBI personnel involved in making the information request.

We made these limited redactions in order to protect privacy interests. The NSLs are otherwise what we received when they were served onto us.

The five NSLs are identical. (PDF links included at the bottom of the Automattic post.) Automattic responded to four of those, but had none of the information requested for the fifth. After the gag orders were lifted by the FBI, Automattic informed the targeted users.

The boilerplate NSLs ask for far more info than the FBI's own legal guidance suggests it should be able to request. A 2008 DOJ legal memo says NSLs should be constrained to "phone billing records." The FBI has apparently decided to interpret this as any and all electronic transactional records when it comes to internet service providers. Here's what's requested in the Automattic NSLs:

Subscriber name and related subscriber information

Account number(s)

Date the account opened or closed

Physical and or postal addresses associated with the account

Subscriber day/evening telephone numbers

Screen names or other on-line names associated with the account

All billing and method of payment related to the account including alternative billed numbers or calling cards

All e-mail addresses associated with the account to include any and all of the above information for any secondary or additional e-mail addresses and/or user names identified by you as belonging to the targeted account in this letter

The names of any and all upstream and providers facilitating this account's communications

This is where the FBI starts digging, apparently. By demanding all this info from a single service provider, the FBI can issue NSLs and subpoenas to a large number of additional third parties, even though the DOJ's legal guidance suggests the FBI's NSL requests should be far more constrained.

The recently-instituted challenge options are better than what was in place previously, but Automattic points out there's still plenty of room for improvement.

We also continue to believe that NSLs pose serious constitutional concerns, particularly because they indefinitely prevent companies like us from speaking about them, and informing our users or the public about the NSLs that we receive. The procedures used to lift nondisclosure requirements are flawed because they put the burden of seeking an end to secrecy almost entirely on the companies, like Automattic, who receive NSLs.

The FBI has almost zero legal obligation to perform proactive reviews of issued NSL gag orders. Recipients must spend their time and money challenging them. Fortunately, the challenge process now requires much less of these scarce resources. Automattic has its own boilerplate form for challenging boilerplate NSL gag orders -- one it's willing to share with any NSL recipient --- so we should be seeing more of these released in the near future.

from the UPDATE-GAG-ORDER-NOW? dept

Update: Adobe has clarified that this was not a National Security Letter (NSL), but rather a search warrant along with a "Delayed Notice Order" (DNO) that had no expiration. The principles are the same, but the vehicle was different. We have updated the article below and apologize for the error.

Another government request for info with a never-ending gag order is on its way to being published. There's no way of telling when it will arrive, but it will be sooner than the government's clear preference: never.

Thankfully, the court in Adobe’s case recognized the serious harm to free speech these gags represent. It held that orders barring companies from notifying their users about government data requests are both prior restraints and content-based restrictions on speech subject to strict scrutiny. That’s a very high bar. The court found that the indefinite gag order imposed on Adobe fails strict scrutiny because the government could make “no showing[] that Adobe’s speech will threaten the investigation in perpetuity.”

Adobe first contends that 18 U.S. § 2750(b) (“Section 2705(b)”) requires that the Court provide a date certain for the NPO’s [Notice Preclusion Order] expiration. The government contends that Section 2705(b) allows for NPOs of indefinite duration. The Court agrees with the government.

But it's this assertion -- the one the court agrees with -- that allows Adobe's free speech arguments to prevail.

Adobe next contends that the NPO is a content-based prior restraint that is not narrowly-tailored to achieve a compelling government interest. As such, Adobe argues, the NPO violates the First Amendment. (Appl. at 4-5.) The government argues that (1) Adobe does not have a right under the First Amendment to notify the Subscriber of the Warrant’s existence; and (2) even if Adobe did have such a right, the government’s compelling interests justify the NPO as currently tailored. The Court finds that a narrower tailoring of the NPO is warranted.

[...]

As written, the NPO at issue herein effectively bars Adobe’s speech in perpetuity. The government does not contend, and has made no showing, that Adobe’s speech will threaten the investigation in perpetuity. Therefore, as written, the NPO manifestly goes further than necessary to protect the government’s interest.

The court also isn't interested in helping the government shift the burden to Adobe as to why this NPO shouldn't be in place indefinitely. In fact, it finds the government's attempt to do so undermines its "this doesn't implicate the First Amendment" arguments.

The government further argues that the NPO is already limited by the Court’s discretion to set an end at some later date. As this “judicial[] limit[]” allows “both Adobe and the government to apply for the order to be lifted after its raison d’etre fades, the NPO is as narrowly-tailored as required.” (Oppo. at 17.) This argument ignores the fact that Adobe is not privy to the government’s investigation. Thus Adobe will not know when the NPO’s “raison d’etre fades.” Moreover, virtually every statute, regulation, order, or other government-imposed restriction on speech can be attacked in a judicial proceeding. Therefore, the government’s argument – in essence, “The order is narrowly-tailored because Adobe has the option of challenging it in court” – demonstrates nothing of relevance.

In any event, putting the onus on the speaker to lift a no-longer-justified content-based restriction is hardly narrow tailoring. Adding the fact that the speaker cannot know when the restriction’s “raison d’etre fades” effectively equates to no tailoring at all. An RCS provider might decide to forego speaking rather than incur the trouble and expense of potentially futile court trips. That the government could in theory, apply to have the NPO lifted is no answer. As the NPO does not apply to the government, the government would have little incentive to do so. Accordingly, on the record before the Court, the government’s argument does little more than illustrate the NPO’s potential for burdening or chilling Adobe’s speech.

Other similar litigation is still ongoing and this decision bears little precedential value, especially in other circuits. But every judicial citation attacking indefinite gag orders helps, especially as these challenges are becoming more common as a result of the USA Freedom Act's creation of new redress options for gag order recipients.

In the post accompanying the disclosure, Microsoft points out the USA Freedom Act is the only reason it's been able to release the NSL. This is one of the benefits of the recent law: a better, faster way to compel review of NSL gag orders, which used to take place almost never.

In addition, Microsoft notes FISA orders are on the rise. Of course, its reporting is limited to useless "bands," so the only thing that can definitely be determined is Microsoft's FISA interactions have at least doubled.

What's included in the NSL is more of the same: demands for subscriber info backed solely by the authority of the FBI agent who typed it up. No judicial approval needed. What isn't in there are demands for a bunch of info the FBI has no business asking for, like in those served to Yahoo. In one of Yahoo's NSLs, the government demanded the service provider go above and beyond statutory requirements and hand over everything from subscriber phone numbers to "upstream providers" associated with the named account.

It also contains the old, pre-USA Freedom Act boilerplate about challenging the gag order -- something the FBI continued to append to post-USA Freedom Act NSLs until the Internet Archive shamed it into admitting it was using outdated language.

Going forward, the government should expect the challenges to continue. Microsoft notes it's currently in court contesting the feds' increasing use of gag orders -- something it justifies using a law meant to protect the privacy of electronic communications: the ECPA.

The trickle of un-gagged NSLs is encouraging. Even if the releases trail far behind issuances (both in number and elapsed time), the fact that we're seeing any at all remains a small miracle. If service providers are enjoying these very occasional forays out from under gag orders, they might want to consider sending a few fruit baskets Snowden's way.

from the first-amendment? dept

In the last few months, we've seen multiple internet companies finally able to reveal National Security Letters (NSLs) they had received from the Justice Department, demanding information from the companies, while simultaneously saddling those companies with gag orders, forbidding them to speak about the orders. It started last June, when Yahoo was the first company to publicly acknowledge such an NSL. In December, Google revealed 8 NSLs around the same time that the Internet Archive was able to reveal it had received an NSL as well. Earlier this month, Cloudflare was finally able to reveal the NSL it had received (which a Senate staffer had told the company was impossible -- and the company's top lawyer was bound by the gag order, unable to correct that staffer).

If you don't recall, Twitter has been much more aggressive than basically all of the other tech companies in challenging these gag orders. Back in 2014, Twitter sued the government, claiming it was a First Amendment violation to enforce these gag orders. That was after most of the other major internet companies had come to an agreement over how and when they could report such requests. Twitter, thankfully, felt that the agreement between the DOJ and internet companies was way too stifling and has fought it:

Twitter remains unsatisfied with restrictions on our right to speak more freely about national security requests we may receive. We continue to push for the legal ability to speak more openly on this topic in our lawsuit against the U.S. government, Twitter v. Lynch.

We continue to believe that reporting in government-mandated bands does not provide meaningful transparency to the public or those using our service. However, the government argues that any numerical reporting more detailed than the bands in the USA Freedom Act would be classified and as such not protected by the First Amendment. They further argue that Twitter is not entitled to obtain information from the government about the processes followed in classifying a version Twitter’s 2013 Transparency Report or in classifying/declassifying decisions associated with the allowed bands. We would like a meaningful opportunity to challenge government restrictions when “classification” prevents speech on issues of public importance.

Our next hearing in the Lynch case is scheduled for February 14, 2017. Concurrently, Twitter is using the statutory means provided in the USA Freedom Act to seek more transparency into similar NSL requests, and will provide updates as they become available.

That last paragraph makes it fairly clear (though it should have been obvious) that Twitter is still gagged on more NSLs. And that's kind of a key thing in all of these recent "releases" of NSLs. They're only released when the government lifts the gag orders on them -- and that's very troubling. There is a long history in this country of the government abusing its powers to spy on the public. If it alone gets to decide when to reveal the nature of its surveillance efforts, then the public really has no insight or understanding into just how widespread the practice might be.

And the most ridiculous thing in all of this is that it's hard to fathom any actual justification for this kind of thing. Yes, you can understand not necessarily revealing an ongoing investigation into a crime, but the gag orders go much further, barring companies from even admitting how many NSLs they receive. It's hard to see how revealing that kind of information -- in any way -- compromises law enforcement or intelligence investigations. The only thing it serves to do is to hide from the public the scale of the surveillance.

from the shame:-the-universal-motivator dept

One of the reforms included in the USA Freedom Act is the actual ability to challenge National Security Letter gag orders. Prior to the passage of this bill, recipients were limited to challenging gag orders once per year -- challenges that rarely succeeded. The process is no longer restricted to annual challenges, but many recipients won't be aware of this fact because the FBI hasn't been interested in telling them.

The NSL we received includes incorrect and outdated information regarding the options available to a recipient of an NSL to challenge its gag. Specifically, the NSL states that such a challenge can only be issued once a year. But in 2015, Congress did away with that annual limitation and made it easier to challenge gag orders. The FBI has confirmed that the error was part of a standard NSL template and other providers received NSLs with the same significant error. We don’t know how many, but it is possibly in the thousands (according to the FBI, they sent out around 13,000 NSLs last year). How many recipients might have delayed or even been deterred from issuing challenges due to this error?

Having been caught using outdated boilerplate, the FBI will now be sending out thousands of correction letters [PDF]. It's not as though the FBI wasn't aware of the changes in the laws governing NSLs. It likely found it more conducive to its secrecy aims to allow the old boilerplate to remain until recipients caught on.

Not only will the FBI be updating its NSL boilerplate, but it has apparently been shamed into transparency… at least in this particular case. The gag order on this NSL has been dropped and the Internet Archive is allowed to publish the redacted request.

The request asks for all personal information related to the targeted accounts from "inception to present." But there's another problem with the request which goes beyond outdated boilerplate. As the EFF's letter to the FBI [PDF] points out, the Internet Archive isn't the sort of entity the FBI can actually serve an NSL to.

18 U.S.C. 2709 is inapplicable to the Archive in this matter because the Archive is a library. Under 2709(g), the FBI cannot issue an NSL demanding records -- or imposing a nondisclosure requirement -- to libraries unless they are providers of wire or electronic communications services. The NSL does not specify which of the Archive's services it seeks records from and thus does not identify any context in which the Archive is a provider of a wire or electronic communication service.

The letter also points out that the FBI's gag order is unconstitutional prior restraint, something that runs contrary to the First Amendment. Of course, it's one thing for an NSL recipient to make this allegation. It's quite another to have it confirmed by a federal court. The EFF's constitutional challenge of NSL gag orders is currently awaiting review by the Ninth Circuit Court of Appeals. Whatever conclusion the court arrives at, there's little doubt that it will ultimately make its way to the US Supreme Court. Whether or not the Supreme Court decides to address it is likely still at least a year or two away.

But the voluntary lifting of a gag order by the FBI is a positive development -- one that suggests the more these orders are challenged, the more often the government will discover its demands for indefinite secrecy are rarely supported by the facts of the case.

from the new-law-means-challengers-can-be-told-'no'-more-frequently dept

Another National Security Letter issued by the government has made its way into the public domain. While it's still likely years away from the full exposure finally granted to Nicholas Merrill of Calyx Internet Access (after 11 years!), this one may not stay covered up for the next decade.

Respondent notified the FBI that it intended to file a petition to set aside the nondisclosure provision of the NSL. Respondent opined that the nondisclosure provision may no longer be needed. Respondent also invited the Government to initiate a judicial review proceeding in lieu of Respondent's filing a petition. The Government responded by initiating the instant proceeding.

Just prior to Respondent's filing of its opposition to the petition, the laws governing NSLs were amended via the USA FREEDOM Act of 2015, Pub. L. 114-23, 129 Stat. 268.1 Accordingly, the Court wiIl conduct its judicial review under the most recent version of the relevant statutes, specifically, sections 2709 and 3511 of Title 18, United States Code.

The unnamed respondent (redacted and under seal) claims the government hasn't met the burden of justifying the ongoing gag order -- an argument it has been forced to make without any knowledge of what the government has submitted (or withheld) to justify the continued secrecy. The court, however, has viewed material supporting the government's contentions and, no surprise, found in favor of national security.

There is reason to believe that disclosure ofthe information subject to the nondisclosure requirement during the applicable time period may result in a danger to the national security of the United States, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person.

The problem is, the "applicable time period" is completely open-ended. Even with the added stipulations of the USA Freedom Act, the government can keep this gag order in place for the next several years, provided the government periodically asserts that "danger" of the national security type is still present.

At present, the nondisclosure requirement in this case has no ending date, and the Court's review of its continued viability falls within an interim period between the effective date of the USA FREEDOM Act of 2015, which directs the Attorney General to "adopt procedures with respect to nondisclosure requirements ... to require ... review at appropriate intervals ... and termination ... if the facts no longer support nondisclosure," and the anticipated but unknown date when the Attorney General will have actually promulgated such procedures. In the absence of those governing procedures, the Court will require the Government to review every 180 days the rationale for the nondisclosure requirement's continuation. Once the Attorney General's procedures are in place, then the nondisclosure requirement will be subject to review thereunder, and this Court's mandate of review every 180 days will no longer be in force.

So, the gag order will only be looked at every six months until the Attorney General takes over, at which point it will be reviewed at "appropriate intervals." Putting this into the hands of the Attorney General seems less likely to result in a ruling in favor of disclosure than leaving it up to a more impartial court. Even with this "fix" in place, there's very little reason to expect the gag order to be lifted any time soon.

As for the unnamed respondent's First Amendment arguments, the court says these alleged violations are outweighed by the government's need for secrecy in national security investigations. Furthermore, it's suggested the respondent should be happy the government has grudgingly allowed it to report nonspecific information on requests for subscriber data.

The methods or reporting established in §1874 -- with reporting allowed in "bands" of numbers and with restriction on the period of time for which a report may be issued -- are a reasonable accommodation of an ECSP's desire for transparency and the Government's compelling interest in national security.

There's no telling who the service provider is that's challenging the gag order. One of the few details that can be sussed out from the documents no longer under seal is that the NSL likely arrived in the first three months of this year. At this point, the service provider won't be able to have the decision reviewed until summer of next year and after that, it will be in the Attorney General's hands. The encouraging sign is that the Attorney General's office has already agreed to unseal certain documents in this case, rather than keep the entire discussion hidden from the general public. Granted, the documents do little more than confirm the government's belief that the gag order should remain in place -- without providing anything more than vague national security concerns to back up that assertion.

from the now-revealed dept

We've already discussed how Nicholas Merrill can finallyreveal the ridiculous and almost certainly unconstitutional National Security Letter (NSL) he received 11 years ago while operating a small ISP, Calyx Internet Access. However, with that revelation also came the unredacted version of the judge's ruling back in October. When we wrote about the October ruling we had mocked many of the obviously ridiculous redactions -- including this somewhat iconic redacted footnote:

The Court notes that the Leahy Letter does not reveal the "180 day" time period in which the FBI sought order and shipping information from Merrill. The Perdue Declaration argues that if this 180-day period is revealed, then "potential terrorists" could manipulate orders to avoid having those orders fall within the 180 day period.... The Court is not persuaded. A "potential terrorist" does not know when, if ever, the FBI will issue a related NSL. The 180-day period clearly relates to the date Merill received the NSL, and it is hard to imagine any person outside of the FBI having the knowledge about when an NSL might be issued, and changing their behavior as a result.

Many of the other redactions just involve hiding what kind of information is currently being redacted, even as the judge wondered why such information was being redacted. For example, we originally highlighted this section:

And in the unredacted portion, we see that basically the government insisted on redacting the fact that the NSL asked for "subscriber day/evening telephone numbers" and the judge can't figure out why the FBI thinks this needs to be secret.

Elsewhere, the redactions get even more direct in hiding the judge totally mocking the DOJ's arguments. Take this section for example:

We now see it was the judge mocking the ridiculousness of these redactions:

If you can't see that, it's the judge pointing out the ridiculousness of the FBI already allowing the public to know it can collect records of an "address" and a "telephone number" but not "addresses" and "telephone numbers" (i.e., the plural versions). As the judge noted, but was originally redacted:

... a potential target of an investigation, even a dim-witted one, would almost certainly be able to determine, simply by running through the alphabet, that "telephone number█" could only be "telephone numbers." Redactions that defy common sense -- such as concealing a single letter at the end of a word -- diminish the force of the Government's claim to "good reason" to keep information under seal, and undermine its argument that disclosures of the currently-redacted information in the Attachment can be linked to a substantial risk of an enumerated harm.

The judge also mocks the ridiculous fact that because the FBI is no longer using NSLs to obtain cell-tower location info, that because it might at some point in the future use it, such info should be redacted:

Here's the unredacted version:

Later in the document, the judge was even forced to redact the phrase "sophisticated foreign adversaries" in noting that such people would already know that the FBI could collect such information.

It was pretty clear back in October the redactions were ridiculous (as was the whole gag order in the first place), and now it's been confirmed.

from the fighting-back dept

Microsoft has announced that its challenge against a National Security Letter (NSL) has finally been unsealed after the FBI dropped the request. If you're not familiar with them, the NSL is a process by which the FBI can basically demand a company hand over just about anything, by claiming its a matter of national security. As we've discussed, National Security Letters -- which come with built in gag orders -- are very rarely challenged. Two years ago, we noted that despite 50,000 NSLs, many of them later determined to be abusive, there had been only four challenges and the FBI simply dropped the requests on two of them.

Since then, it seems clear that there has been an uptick in companies challenging though they're still hidden by the gag orders. Microsoft specifically challenged that gag order, leading the FBI to withdraw its letter. But, that also means that the FBI doesn't get in any trouble at all for abusing the NSL process and fishing for information. Already, one court has found those letters unconstitutional, but that decision has been stayed while it goes through the lengthy appeals process. In the meantime, the FBI gets to keep fishing. It's good to see Microsoft challenging them, but this story could just as easily be "FBI gets away with yet another fishing expedition."